Professional Documents
Culture Documents
Jyoti Raval
Harness
Agenda
• Introduction
• What is API?
• Why API testing?
• How API testing works?
• Harness API testing strategy
• Automation & Scaling
About Me
• I am Jyoti Raval, working as Staff Product Security Engineer with Harness
• Responsible for researching on new security trends and help secure product
end-to-end
• Application security enthusiast
• Presented at BlackHat,DefCon,HITB,NullCon,InfosecGirls and OWASP.
• Author of tool - Phishing Simulation Assessment & Managing Pentest - MPT
• OWASP Pune chapter leader and goes by jenyraval on github
What is an API?
API is the acronym for Application Programming Interface,
to talk to each other. Each time you use an app like Facebook,
than doubled the overall growth in API traffic in the last 12 months.
According to the report, 95% of organisations running production APIs have experienced an API security incident in the last 12
months.
However, most organisations are unprepared to handle these challenges, with over a third (34%) having no API security strategy.
Similarly, traditional security measures continue to fail, giving organisations a false sense of security.
How API testing works?
Security testing helps ensure that basic security requirements have been met, including the conditions of user access, encryption, and
authentication concerns. The idea behind API scanning is to craft inputs to coax bugs and undefined behaviour out of an API,
essentially mimicking the actions and attack vectors of would-be hackers.
Mapping Attacks:
It is important to define first, what all areas we would be covering as a part of testing.
Understanding APIs and their business use is of paramount importance in order to understand the amount of impact security
loopholes would have on business. Also helps us building tailor made attacks on APIs. It is important to think like an attacker.
APIs expand the capabilities and functionalities business can offer, without putting a ton of resources behind integrations. To get the
most out of APIs, they use APIs in the following ways:
Understand among which of the category above current testing is falling unto.
Harness API testing strategy
3. API as a contract — first, check the spec!
An API is essentially a contract between the client and the server or between two applications. Before any implementation test can
begin, it is important to make sure that the contract is correct. That can be done first by inspecting the spec (or the service contract
itself, for example a Swagger interface or OpenAPI reference) and making sure that endpoints are correctly named, that resources and
their types correctly reflect the object model, that there is no missing functionality or duplicate functionality, and that relationships
between resources are reflected in the API correctly.
Here you can run the tool of your choice for which you have done POC thoroughly.
Though there are various tools, we started with BurpSuite Pro, Traceable AI which you can use as well to find security issues.
Additionally open source tools like Postman and/or SoapUI can be used as well.
Burp has extensive set of plug-ins which can be used to focus on various attacks. for eg: OpenAPI Parser
Business logic vulnerabilities are flaws in the design and implementation of an API that allow an attacker to elicit unintended
behaviour. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal.
For example, Look at how certain permissions are given to resources, how licensing is being validated, how cost to customer is
calculated if manipulation or flaw in above scenario exists then it’s a CIA breach and could cost a revenue loss to business.
Harness API testing strategy
8.Report
9.Automate and Scale:
Why automate?
Considering the amount of rapid development happening around the year at any fast growing organisation, it is important for security
team to cope up with the speed at which it is being developed.
How to automate?
There could be various ways to automate API testing and testing the change during each release.
It is not possible to test all the APIs during each of the release cycle. We will have to pick a frequency at which we would do complete
API testing and rest of the releases we would be picking up just delta.
Thank you!